Physical vs. Virtual Validations
When will in-person validations begin again?
The CTPAT program is monitoring the COVID-19 situation and making program decisions in-line with U.S. CBP regarding travel, etc. The CTPAT annual work plan is typically released to the Supply Chain Security Specialists (SCSS) early in the year so that they can begin planning their validation activity. It is fair to say that CTPAT will be maximizing the use of virtual validations until a decision is made as to when in-person validations will take place.
What are the countries for which virtual validations are not being conducted? Are they being done for Mexico and China?
Virtual validations are being conducted on “lower risk” members based on CTPAT internal risk assessments for revalidations only. Currently, foreign suppliers in China are not being considered in this process. Companies in Mexico may be eligible based on risk.
If physical validations are not yet available for first time validations, is CTPAT accepting new applications from Mexico?
Yes, but it will entirely depend on where the company is physically located in Mexico and there may be a delay in getting validated based on travel restrictions.
Mutual Recognition Validations
Is a validation conducted by the Mexico OEA or Canada PIP programs accepted by CTPAT as a revalidation?
Yes, but it is being accepted due to the Mutual Recognition Arrangement (MRA) that CBP/CTPAT has signed with Mexico and Canada. CTPAT member companies are still eligible to be revalidated by CBP at any given time.
Virtual Validation Process
Approximately how many days after initial contact from CBP will the virtual validation be conducted? How much notice time will CBP typically provide?
Once the validation is initiated through the CTPAT Portal, companies officially have 30-days’ notice, but in reality, the SCSS works with the company to schedule the validation at a time that works best for all parties.
Will SCSS provide a list of questions that will be presented during virtual validation?
The SCSS will typically (although it is not a mandatory CTPAT program policy) provide an agenda in advance that specifies which criteria elements and supporting documentation will be discussed/verified during the virtual validation. If your SCSS does not provide an agenda in advance, you should request one.
Does CBP record the virtual validation?
What are the recommendations for video evidence that you use, such as length, quality and timing of capture?
Members may choose to upload a video as Evidence of Implementation (EOI) to the Portal or may choose to present a video during their virtual validation to paint a picture of the facility for the SCSS. In either case, there are no timing standards in place. Video evidence should be inclusive of the key aspects of the process you are capturing. For virtual validation videos, it is good to capture physical security and access control features and processes. Quality should be good enough so that viewers can clearly see what is being presented. If uploading video EOI to the Portal, there are file size limitations so you should coordinate with your SCSS.
If a video has someone speaking in Spanish, is it recommended to have someone translate it or leave it in Spanish?
While EOI such as written policies are not required to be in English, it is always helpful to the SCSS (if not fluent in Spanish) to at least have someone available to translate sections for their understanding. The same logic applies to video EOI. A good solution is to provide English closed captioning in the video. *Remember that all responses in the security profile must be provided in English.
Is it recommended to update the Security Profile / EOI frequently or only once per year?
Security Profiles are to be updated and submitted annually but companies should make updates as they occur and should communicate any significant updates (e.g. moving to/opening a new facility) to their SCSS directly.
Third Party Assistance
We are hiring a third party consultant to evaluate our current program to identify any weaknesses – so we can develop an improvement plan. Do you consider this a good practice?
Hiring a third party consultant is ultimately a business decision. It is important to know what your company’s goals are when considering this option. Hiring a competent consultant to improve your company’s ability to effectively comply with CTPAT requirements can often lead to better internal coordination and understanding of CTPAT related roles and responsibilities. *Remember that the third party consultant Points of Contact (POC) must be listed in the CTPAT Portal as a “Consultant” and NOT as a company Officer.